ACSC Essential Eight Compliance and Audit

Nortec offers comprehensive assistance in assessing your cyber risk in accordance with the Essential Eight. Our Assessors are trained and certified in ACSC Essential Eight Compliance.
We can assist in three ways.

Essential Eight Compliance Audit

Our Accredited Assessors have been trained to perform comprehensive ACSC Essential Eight (E8) Audits at all levels. E8 Assessments are completed on a level-by-level process. You are initially assessed on Level One, Then Levels two and three.

ACSC Essential Eight - Cyber Protection.

Prepare for Essential Eight Complaince

Implementing the ACSC Essential Eight is not foolproof, but it significantly raises the bar for attackers, making it much harder and more time-consuming to breach your defenses. Have your IT team work with us to to bring you up to your preferred Essential Eight Level.

Essential Eight Implementation

If you are starting out on your ACSC Essential Eight Journey, we have tailored Managed Solutions which we can implement to help you achieve your targeted Essential Eight Level.

What is the ACSC Essential Eight?

Imagine your network as a medieval castle. The ACSC Essential Eight are like eight sturdy shields protecting it from a barrage of cyberattacks. Developed by the Australian Signals Directorate (ASD), these eight strategies are the frontline defense for any organization operating in the digital age.

The Eight Sheilds are

PATCH Applications.

Regularly update software applications to plug security holes used by attackers. Think of it as mending worn patches on your armor.

Patch Operating Systems

Keep your operating systems, like Windows or macOS, up-to-date to address vulnerabilities. This reinforces the castle walls.

Multi-Factor Authentication:

Add an extra layer of security beyond passwords with multi-factor authentication. It’s like having a drawbridge and portcullis before the main gate.

Restrict Administrative Privileges:

Limit who has admin access to critical systems, just like assigning trusted knights to guard the armory.


Only allow authorised applications to run on your systems, preventing malware from sneaking in like disguised invaders. It’s like having a list of approved visitors for your castle.


Disable macros in Microsoft Office documents, a common entry point for malicious code. This is like carefully inspecting incoming scrolls for hidden traps.


Configure settings to make applications more resistant to attacks, like adding extra locks on the treasure vault doors.


Regularly back up your data so you can restore it if it’s compromised, like having a secret escape tunnel with hidden supplies.

Unpacking the Levels of the ACSC Essential Eight

The ACSC Essential Eight isn’t just a checklist; it’s a compass for Australian businesses to navigate the ever-changing cyber landscape. Understanding the differences between the Levels empowers businesses to chart their own course, building progressively stronger defenses and becoming increasingly resilient against cyber threats. Remember, even the smallest steps towards improved security can significantly enhance your cybersecurity posture and safeguard your valuable data and operations.

Level Zero: Unprotected Fortresses

Imagine Level Zero as an unguarded castle, vulnerable to even the most basic attacks. Businesses at this level lack the fundamental controls outlined in the Essential Eight, leaving their systems and data exposed. Patching applications and operating systems, enforcing multi-factor authentication, and restricting administrative privileges are non-existent, making them easy targets for cybercriminals.

Level One: Building the Basics

At Level One, basic defenses are erected. Think of it as raising the drawbridge and closing the first gate. Businesses patch critical applications and operating systems, implement multi-factor authentication for some accounts, and restrict some administrative privileges. While this marks a significant improvement, vulnerabilities remain due to incomplete control implementation, weak user passwords, and potential gaps in application control.

Level Two: Strengthening the Walls

Level Two sees significant fortification. The castle walls thicken with stricter application control, comprehensive patching across systems, and enhanced multi-factor authentication for most accounts. User application hardening adds additional layers of protection, and restrictions on administrative privileges tighten further. However, potential weaknesses may still linger in areas like unrestricted Microsoft Office macros and infrequent backups.

Level Three: The Impregnable Citadel

Reaching Level Three signifies a formidable fortress. Microsoft Office macros are disabled, regular backups are automated, and user application hardening is optimized. This level reflects a proactive approach to cyber defense, minimizing vulnerabilities and maximizing system resilience. However, even the most secure systems require constant vigilance, so continuous improvement and adaptation to evolving threats remain crucial.

Not all businesses need to reach the apex of Level Three immediately. Smaller businesses may prioritize achieving Level One or Two initially, focusing on the most impactful controls within their resources. Larger organizations with complex systems and higher risks may prioritize reaching Level Three, while continuously evaluating their posture for further optimization.

What are your Legal Obligations

Current Obligations

Australian businesses face a dynamic and complex landscape regarding cyber security legislation. Meeting ACSC Essential Eight compliance can ensure you meet these obligations. Here are some key legislative concerns you need to consider

Privacy Act 1988 and the Notifiable Data Breaches Scheme.

The Privacy Act 1988 protects Australians’ personal information held by businesses and government agencies. It outlines principles for handling data and gives individuals rights to access and correct their information. The Notifiable Data Breaches Scheme, part of the Act, requires organizations to notify affected individuals and the government if a data breach is likely to cause serious harm. This includes unauthorized access, loss, or disclosure of information like names, addresses, or financial details.

Protecting Critical Infrastructure and Essential Services Act 2018 (PCIES Act)

This Act impacts businesses involved in Australia’s critical infrastructure, like energy, healthcare, and finance.  Businesses must identify and report cybersecurity incidents, invest in stronger cyber defenses, and comply with government regulations.  The Act fosters information sharing between businesses and government agencies, aiding collective defense against cyber threats. Requires prompt reporting of incidents and responsible data handling.

Surveillance Legislation Amendment (Identify and Disrupt) Act 2021

The Act grants the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) new tools to combat online crime, including Data disruption warrants: Modifying or deleting data to thwart illegal activities (imagine cutting off a cybercriminal’s escape route). Network activity warrants: Collecting intelligence on criminal networks operating online. Account takeover warrants: Temporarily taking control of online accounts for investigations.

Australian Cyber Security Strategy 2023-2030

The Act outlines a comprehensive plan to make Australia a world leader in cyber security by 2030. It has significant implications for Australian businesses. This includes increased compliance costs for businesses, as they implement new security measures and reporting requirements. Small business burden: The strategy may place a heavier burden on small businesses, which may lack the resources or expertise to implement all of the recommended measures.

Australian Consumer Law

Businesses should understand how the ACL applies to their cyber security practices. Implementing robust security measures, clear consumer policies, and transparent communication go a long way in ensuring compliance and building trust with customers. Breaches of the ACL can lead to fines, compensation orders, and reputational damage. Additionally, consumer class actions are becoming more common in data security cases.

Industry Specific Regulations

Beyond general laws, Australian businesses face industry-specific security regulations. Some of these are.

Finance: The Australian Prudential Regulation Authority (APRA) enforces strict cybersecurity standards for banks and insurers. This includes data encryption, incident reporting, and risk assessments.

Healthcare: The Health Information Privacy Code regulates patient data in healthcare organizations. They must adhere to specific security measures to prevent unauthorized access and breaches.

Energy: The Electricity Security Act mandates cybersecurity measures for energy providers to protect critical infrastructure from cyberattacks that could disrupt electricity supply.

Telecommunications: The Telecommunications Act gives the Australian Communications and Media Authority (ACMA) power to enforce data security obligations for ISPs and telcos, including incident reporting and user data protection.

Upcoming Regulations and Reforms

Mandatory data breach notification: Expanding the scope of the Privacy Act to require mandatory reporting of data breaches for all businesses, not just those holding sensitive information.

Critical infrastructure security standards: Setting mandatory security standards for critical infrastructure providers in various sectors.

Cybersecurity incident reporting: Standardizing incident reporting requirements across different industries and regulators.

Cybersecurity skills and training: Mandating or incentivizing businesses to provide cybersecurity training for their employees.

Ransomware payments: Exploring options for regulating or even prohibiting ransomware payments.